Search in ISMS Guides


Saturday, July 28, 2007

Information Security Forum

From Wikipedia, the free encyclopedia

Information Security Forum (ISF) is an international, independent, not-for-profit organization dedicated to benchmarking and best practices in information security. It was established in 1989 as the European Security Forum but expanded its mission and membership in the 1990s, so that it now includes hundreds of members, including a large number of Fortune 500 companies, from North America, Asia, and other locations around the world. Groups of members are organized as chapters throughout Europe, Africa, Asia, the Middle East, and North America. The ISF is headquartered in London, England, but also has staff based in New York City.

The membership of the ISF is international and includes large organizations in transportation, financial services, chemical/pharmaceutical, manufacturing, government, retail, media, telecommunications, energy, transportation, professional services, and other sectors.

In addition to the benchmarking program, the ISF runs regional chapter meetings, topical workshops, a large annual conference (called the "World Congress"), and develops and publishes research reports and tools addressing a wide variety of subjects. Its research agenda is driven entirely by its member organizations, who govern all ISF activities.

Primary deliverables

The ISF delivers and range of content, activities, and tools, which are summarized below.

The ISF is a paid membership organization, although the Standard of Good Practice is available for free. From time to time, the ISF makes other research documents available for free. In the past, the ISF has given away a comprensive checklist on Windows server security and a report entitled The Disappearance of the Network Boundary. Other products and service are included in the membership fee.

The Standard of Good Practice

Main article: Standard of Good Practice

Every two years, the ISF revises and publishes the Standard of Good Practice, a detailed documentation of best practices in information security, based on research and a comprehensive benchmarking program that has captured security behavior and detailed incident data for many years.

Research projects

Based on member input, the ISF selects a number of topics for research in a given year. The research includes interviewing member and non-member organizations and thought leaders, academic researchers, and other key individuals, as well as examining the range of approaches to the issue. The resulting reports typically go into depth describing the issue generally, outlining the key information security issues to be considered, and proposing a process to address the issue, based on best practices.

Methodologies and tools

For broad, fundamental areas, such as information risk assessment, or return-on-investment calculations, the ISF will develop comprehensive methodoligies that formalize the approaches to these issues. Supporting the methodology, the ISF supplies Web-based and spreadsheet-based tools to automate these functions.

Benchmarking program

Formerly called the "Information Security Status Survey," the ISF conducts a biannual benchmarking exercise that comprehensively examines the information-security practices of participants in all the areas addressed by the Standard of Good Practice (although participants need not adhere to the Standard in order to participate in the benchmarking). The results include detailed information on how responses compare (anonymously) to other participants. The results system allows for detailed analysis, factoring in market sector, subject scope, organizational measures (such as number of employees or revenue), and other elements.


Regional chapter meetings and other activities provide for face-to-face networking among peers in differing organizations. The ISF encourages direct member-to-member contact to address individual member questions and to strengthen relationships. Chapter meetings and other activities are conducted around the world and address local issues and language/cultural dimensions.

World Congress

The ISF's annual global conference is called the "Annual World Congress", and it takes place in a different city each year. In 2007 the conference was held in Washington, DC. The typically 2 1/2 day conference includes plenary sessions by leaders in information security, personal development, practical workshops conducted by member organizations, and a substantial evening social program. The program focuses on information-security practitioners; the participation of vendors is limited to an exhibition area and a few invited speakers.

Web portal (MX)

The ISF's extranet portal, "Member Exchange" (also MX or MX²) allows members to directly access all ISF materials, including member presentations, and also includes messaging forums, contact information, webcasts, and other data for member use.

Information security management system

From Wikipedia, the free encyclopedia

An Information Security Management System (ISMS) is, as the name suggests, a system of management concerned with information security. The idiom arises primarily out of ISO/IEC 17799, a code of practice for information security management published by the International Organization for Standardization in 2000. ISO 17799 will eventually be revised and re-issued in the ISO 2700x suite.

The best known ISMS is ISO/IEC 27001, published by the ISO, complementary to ISO/IEC 17799 (developed from BS 7799-1). A system for certification against BS-7799-2:2002 is well established (But note that it is not possible to get ISO/IEC 17799 certified.)

ISM3 (pronounced ISM-cubed) is the only other ISMS that is accreditable. ISM3 was developed from ITIL, ISO 9001, CMM and ISO27001 and Information Governance concepts. ISM3 can be used as a template to make ISO 9001 compliant information security management systems. While ISO27001 is controls based, ISM3 is process based. ISM3 has process metrics included.

Other ISMS are

* ISF Standard of Good Practice
* ITIL Security Management
* COBIT v4.0

International Electrotechnical Commission (IEC)

From Wikipedia, the free encyclopedia

The International Electrotechnical Commission (IEC) is a not-for-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as "electrotechnology". IEC standards cover a vast range of technologies from power generation, transmission and distribution to home appliances and office equipment, semiconductors, fibre optics, batteries, solar energy, nanotechnology and marine energy to mention just a few. Wherever you find electricity and electronics, you find the IEC supporting safety and performance, the environment, electrical energy efficiency and renewable energies. The IEC also manages conformity assessment schemes that certify whether equipment, systems or components conform to its International Standards. The IEC publishes standards with the IEEE and develops standards jointly with the ISO as well as the ITU.

The IEC held its inaugural meeting on 26 June 1906, following discussions between the British IEE, the American IEEE (then called IEE), and others, which began at the 1900 Paris International Electrical Congress, and continued with Colonel R. E. B. Crompton playing a key role. It currently counts more than 130 countries. Sixty-seven of these are members, while another 69 participate in the Affiliate Country Programme, which is not a form of membership but is designed to help industrializing countries get involved with the IEC. Originally located in London, the commission moved to its current headquarters in Geneva in 1948. It now has regional centres in Asia-Pacific (Singapore), Latin America (São Paulo, Brazil)and North America (Boston, USA.

The IEC charter embraces all electrotechnologies including energy production and distribution, electronics, magnetics and electromagnetics, electroacoustics, multimedia and telecommunication, as well as associated general disciplines such as terminology and symbols, electromagnetic compatibility (by its Advisory Committee on Electromagnetic Compatibility -ACEC-), measurement and performance, dependability, design and development, safety and the environment.

Today, the IEC is the world's leading international organization in its field, and its standards are adopted as national standards by its members. The work is done by some 10 000 electrical and electronics experts from industry, government, academia, test labs and others with an interest in the subject.

The IEC was instrumental in developing and distributing standards for units of measurement, particularly the gauss, hertz, and weber. They also first proposed a system of standards, the Giorgi System, which ultimately became the SI, or Système International d’unités (in English, the International System of Units).

In 1938, it published a multilingual international vocabulary to unify electrical terminology. This effort continues, and the International Electrotechnical Vocabulary remains an important work in the electrical and electronic industries.

IEC standards have numbers in the range 60000–79999 and their titles take a form such as IEC 60417: Graphical symbols for use on equipment. The numbers of older IEC standards were converted in 1997 by adding 60000, for example IEC 27 became IEC 60027.

Standards developed jointly with ISO such as ISO/IEC 26300, Open Document Format for Office Applications (OpenDocument) v1.0 carry the acronym of both organizations. The use of the ISO/IEC prefix is limited to publications from ISO/IEC Joint Technical Committee 1 on Information Technology, as well as some ISO/IEC guides.

The CISPR (Comité International Spécial des Perturbations Radioélectriques) – in English, the International Special Committee on Radio Interference – is one of the groups founded by the IEC.


The IEC is made up of members, called national committees, and each NC represents its nation's electrotechnical interests in the IEC. This includes manufacturers, providers, distributors and vendors, consumers and users, all levels of governmental agencies, professional societies and trade associations as well as standards developers from national standards bodies. National committees are constituted in different ways. Some NCs are public sector only, some are a combination of public and private sector, and some are private sector only. About 90% of those who prepare IEC standards work in industry.

Member countries include:

* Argentina - Instituto Argentino de Normalización y Certificación (IRAM)
* Australia- Standards Australia
* Austria - Österreichischer Verband für Elektrotechnik (ÖVE)
* Brazil - Comitê Brasileiro de Eletricidade, Eletrônica, Iluminação e Telecomunicações (Cobei)
* Canada - Standards Council of Canada
* China - Standardization Administration of China (SAC)
* France - Union technique de l'électricité et de la communication (UTE)
* Germany - Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN & VDE
* India - Bureau of Indian Standards (BIS)
* Italy - Comitato Elettrotecnico Italiano (CEI)
* Japan - Japanese Industrial Standards Committee
* Russia - Federal Agency for Technical Regulation and Metrology (Rostekhregulirovaniye)
* South Africa - South African Bureau of Standards (SABS)
* Spain - Asociación Española de Normalización y Certificación (AENOR)
* Switzerland - Swiss Electrotechnical Committee (CES)
* Vietnam - Vietnamese National Committee Directorate for Standards and Quality (STAMEQ)
* United Kingdom - British Standards Institute (BSI)
* United States - American National Standards Institute (ANSI)

Quantitative Risk Analysis

The difference between quantitative and qualitative RA is fairly simple: Quantitative RA
attempts to assign independently objective numeric values (hard dollars, for example)
to the components of the risk assessment and to the assessment of potential losses.
Qualitative RA addresses more intangible values of a data loss, and focuses on the
other issues, rather than the pure hard costs.
When all elements (asset value, impact, threat frequency, safeguard effectiveness,
safeguard costs, uncertainty, and probability) are measured, rated, and assigned
values, the process is considered to be fully quantitative. However, fully quantitative risk
analysis is not possible because qualitative measures must be applied. Thus, the
reader should be aware that just because the figures look hard on paper does not mean
it is possible to foretell the future with any certainty.
A quantitative risk analysis process is a major project, and as such it requires a project
or program manager to manage the main elements of the analysis. A major part of the
initial planning for the quantitative RA is the estimation of the time required to perform
the analysis. In addition, a detailed process plan must also be created, and roles must
be assigned to the RA team.
Preliminary Security Examination (PSE). A PSE is often conducted before the actual
quantitative RA. The PSE helps to gather the elements that will be needed when the
actual RA takes place. A PSE also helps to focus an RA. Elements that are defined
during this phase include asset costs and values, a listing of various threats to an
organization (in terms of threats to both the personnel and the environment), and
documentation of the existing security measures. The PSE is normally then subject to a
review by an organization’s management before the RA begins.
Automated Risk Analysis Products
There are several good automated risk analysis products on the market. The main
objectives of these products is to minimize the manual effort that must be expended to
create the risk analysis and to provide a company with the ability to forecast its
expected losses quickly with different input variations. The creation of a database
during an initial automated process enables the operator to rerun the analysis using
different parameters—to create a what if scenario. These products enable the users to
perform calculations quickly in order to estimate future expected losses, thereby
determining the benefit of their implemented safeguards.

Risk Analysis Steps

The three primary steps in performing a risk analysis are similar to the steps in
performing a Business Impact Assessment (see Chapter 6, “Operations Security”).
However, a risk analysis is commonly much more comprehensive and is designed to be
used to quantify complicated, multiple-risk scenarios.

The three primary steps are as follows:
1. Estimate the potential losses to assets by determining their value.
2. Analyze potential threats to the assets.
3. Define the Annualized Loss Expectancy (ALE).

Estimate Potential Losses

To estimate the potential losses incurred during the realization of a threat, the assets
must be valued by commonly using some sort of standard asset valuation process (this
is described in more detail later). This results in an assignment of an asset’s financial
value by performing the EF and the SLE calculations.

Analyze Potential Threats

Here we determine what the threats are, and how likely and often they are to occur. To
define the threats, we must also understand the asset’s vulnerabilities and perform an
ARO calculation for the threat and vulnerabilities.

All types of threats should be considered in this section, no matter if they seem likely or
not. It is may be helpful to organize the threat listing into the types of threats by source,
or by their expected magnitude. In fact, some organizations can provide statistics on
the frequency of various threats that occur in your area. In addition, the other domains
of InfoSec discussed in this book have several varied listings of the categories of

Some of the following categories of threats could be included in this section.
Data Classification. Data aggregation or concentration that results in data inference,
covert channel manipulation, a malicious code/virus/Trojan horse/worm/logic bomb, or
a concentration of responsibilities (lack of separation of duties)
Information Warfare. Technology-oriented terrorism, malicious code or logic, or
emanation interception for military or economic espionage
Personnel. Unauthorized or uncontrolled system access, the misuse of technology by
authorized users, tampering by disgruntled employees, or falsified data input
Application/Operational. Ineffective security application that results in procedural
errors or incorrect data entry
Criminal. Physical destruction or vandalism, the theft of assets or information,
organized insider theft, armed robbery, or physical harm to personnel
Environmental. Utility failure, service outage, natural disasters, or neighboring
Computer Infrastructure. Hardware/equipment failure, program errors, operating
system flaws, or a communications system failure
Delayed Processing. Reduced productivity or a delayed funds collection that results
in reduced income, increased expenses, or late charges

Define the Annualized Loss Expectancy (ALE)

Once the SLE and ARO have been determined, we can estimate the ALE using the
formula we previously described.

After performing the Risk Analysis, the final results should contain the following:
Valuations of the critical assets in hard costs
A detailed listing of significant threats
Each threat’s likelihood and its possible occurrence rate
Loss potential by a threat — the dollar impact the threat will have on an asset
Recommended remedial measures and safeguards or countermeasures

There are three generic remedies to risk, which may take the form of either one or a
combination of the following three:
Risk Reduction. Taking measures to alter or improve the risk position of
an asset throughout the company
Risk Transference. Assigning or transferring the potential cost of a loss
to another party (like an insurance company)
Risk Acceptance. Accepting the level of loss that will occur, and
absorbing that loss
The remedy chosen will usually be the one that results in the greatest risk reduction,
while retaining the lowest annual cost necessary to maintain a company.


Kerberos is a trusted, third party authentication protocol that was developed under
Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards
the entrance to the Underworld.

Using symmetric key cryptography, Kerberos authenticates clients to other entities on a
network of which a client requires services. The rationale and architecture behind
Kerberos can be illustrated by using a university environment as an example. In such
an environment, there are thousands of locations for workstations, local networks, and
PC computer clusters. Client locations and computers are not secure, thus one cannot
assume the cabling is secure. Messages, therefore, are not secure from interception.
However, a few specific locations and servers can be secured and can serve as trusted
authentication mechanisms for every client and service on that network. These
centralized servers implement the Kerberos-trusted Key Distribution Center (KDC),
Kerberos Ticket Granting Service (TGS), and Kerberos Authentication Service (AS).
Windows 2000 provide Kerberos implementations.

The basic principles of Kerberos operation are as follows:
1. The KDC knows the secret keys of all clients and servers on the
2. The KDC initially exchanges information with the client and server
by using these secret keys.
3. Kerberos authenticates a client to a requested service on a server
through TGS, and by issuing temporary symmetric session keys
for communications between the client and KDC, the server and
the KDC, and the client and server.
4. Communication then takes place between the client and the
server using those temporary session keys.

The Big Three

Confidentiality, Integrity, and Availability (C.I.A.),These concepts represent the
three fundamental principles of information security. All of the information security
controls and safeguards, and all of the threats, vulnerabilities, and security processes
are subject to the C.I.A yardstick.

Confidentiality. In InfoSec, the concept of confidentiality attempts to prevent the
intentional or unintentional unauthorized disclosure of a message’s contents. Loss of
confidentiality can occur in many ways, such as through the intentional release of
private company information or through a misapplication of network rights.

Integrity. In InfoSec, the concept of integrity ensures that:
Modifications are not made to data by unauthorized personnel or
Unauthorized modifications are not made to data by authorized personnel
or processes
The data are internally and externally consistent, i.e., that the internal
information is consistent among all subentities and that the internal
information is consistent with the real world, external situation.

Availability. In InfoSec, the concept of availability ensures the reliable and timely
access to data or computing resources by the appropriate personnel. In other words,
availability guarantees that the systems are up and running when they are needed. In
addition, this concept guarantees that the security services needed by the security
practitioner are in working order.